Under normal circumstances, a comprehensive security management system is most commonly a four-layer structure, which consists of the overall policy and strategy of network security work, various security management operating procedures and security configuration specifications, and various recording forms.
First-level document : Security strategy : clarify the mission and will, clarify the overall security goals, scope, principles and security framework, etc., establish the work operation mode, etc.
Secondary documents: Management system: Standardizes the behaviors that should be followed at each stage and link of the construction, development, operation, maintenance, upgrade and transformation of the information system.
Level 3 documents: Operating specifications: Specific operating steps and methods for each item, which can be a manual, a flow chart, or an implementation method.
Level 4 documents: Record forms: daily operation and maintenance records, approval records, meeting minutes and other documents.
Taking Class III Level 3 as an example, the list of systems and documents required under normal circumstances is as follows:
| file level |
Classification |
document content |
| first level document |
security strategy |
Security strategy overview |
| secondary documents |
Management System |
Management system for formulation, release and maintenance of management system |
| safety management agency |
Safety organization and job responsibility management system |
|
| Authorization and approval system |
||
| Safety audit and inspection system |
||
| .... |
||
| safety manager |
Management systems for personnel recruitment, departure, assessment, etc. |
|
| Management system for personnel safety education and training |
||
| External personnel management system |
||
| .... |
||
| Safety construction management |
Management system for project implementation process management |
|
| Management system for product selection and procurement |
||
| Management system for testing, acceptance and delivery |
||
| Software development management system |
||
| Code writing security practices |
||
| Outsourcing software development management system |
||
| ...... |
||
| Security operation and maintenance management |
Office environment management system |
|
| Computer room safety management system |
||
| Asset safety management system |
||
| Media security management system |
||
| Equipment safety management system |
||
| Network system security management system |
||
| Malicious code prevention management system |
||
| Password management system |
||
| configuration management system |
||
| change management system |
||
| Backup and recovery management system |
||
| Security incident management system |
||
| Emergency plan management system (including various special emergency plans) |
||
| ...... |
||
| Level 3 documents |
Configuration specifications |
Configuration baselines for network/security devices, operating systems, databases, etc. |
| Operation Manual |
Application software design program files |
|
| Software User Guide |
||
| Source code documentation |
||
| Operation and maintenance manual (process form/diagram, implementation method) |
||
| ...... |
||
| Level 4 documents |
Records, forms |
System formulation and modification records |
| Various approval records |
||
| training record |
||
| meeting minutes |
||
| Safety checklist, safety inspection report, etc. |
||
| Safety management position personnel information form |
||
| Network security outreach unit communication and cooperation contact form |
||
| confidentiality agreement |
||
| Critical Position Security Protocol |
||
| Personnel recruitment and resignation records |
||
| Authorization and approval records for modification, update and release of program resource library |
||
| Project implementation plan |
||
| Test acceptance plan, records, etc. |
||
| Security test report |
||
| delivery list |
||
| Service provider contracts, agreements, etc. |
||
| Security assessment records of service providers |
||
| External Personnel Access Registration Approval Form |
||
| External person access registration record form |
||
| Non-disclosure Agreement for Outsiders |
||
| Purchase requisition approval form |
||
| Asset list |
||
| Application form for scrapping of assets subject to level protection |
||
| Equipment exit strip |
||
| Equipment maintenance record sheet |
||
| Cyber Security Incident Reporting Form |
||
| System exception event handling records |
||
| Emergency Response Approval Form |
||
| Vulnerability scanning and risk assessment reports |
||
| Malicious code inspection records, virus disposal records |
||
| Data backup, recovery test and other records |
||
| Daily operation and maintenance forms and records |
||
| System change plan and approval records |
||
| Emergency drills and training records |
||
| ...... |
Enterprises can make choices and adjustments based on their own circumstances. For example, if they do not have their own development team, they do not need a software development management system and code writing safety regulations; if customized software development is entrusted to an outsourcing team, an outsourcing development management system is required.